Sister CISA CISSP

A study was just released by the University of California at Berkeley details just how much big business uses web tracking, and how little they appear to care about the privacy of users.

This really is not new information. The biggest businesses use it constantly to track visitors, and even Google gives you quite a lot of information via Google Analytics. The issue, I believe, is how much is really being tracked and how well it is hidden.

Heard of ‘web bugs?” A Web Bug is a graphics on a Web page or in an (HTML) email message that is designed to monitor who is reading the Web page or email message. Web Bugs are almost always invisible on a web page or HTML email because they are typically only 1-by-1 pixel in size. They are represented as HTML IMG tags. Those don’t show up at all in the page, only if you look at the source code of the page. And how many of us do that?

The report goes into some very relevant detail about how web bugs are the predominant tool used by businesses because they are simple and “invisible” to the visiting user. For example, if you look at the source code of a web page, you’ll see something like this:

They are easy to identify because they contain pointers to another IP address.

So, why should we care? After all, marketing people watch what we do all the time in the retail marketplace, so they can target their products to the right audience. Benignly, Ad networks can use web bugs to add information to a personal profile of what sites a person is visiting. The personal profile is identified by the browser cookie of an ad network. At some later time, this personal profile which is stored in a database server belonging to the ad network, determines what banner ad one is shown.

It’s rather like having someone shadow everywhere you go during the course of the day. They just follow you around, writing down everything you look at and/or buy. Then they sell that information to someone else, but they won’t tell you what information they’ve written down or who they’re selling it to.

That seems pretty intrusive, when it’s put that way, doesn’t it?

Do you want to be able to SEE web bugs when you’re surfing? There used to be a nifty piece of software, BugNosis, but it is no longer available. It’s hard to complain about what you can’t see. So the guy following you is now invisible.

Current regulations allow third-party Web tracking without the user’s permission. “Third-party trackers are not governed by a Website’s privacy policy. Therefore, they have no incentive to allow users to view or delete information collected about them. In addition to this lack of participation, users have no ability to avoid third-party tracking. There is no opt-out, let alone opt-in.”

The report states that “In our analysis of privacy policies, 36 of the Websites affirmatively acknowledged the presence of third-party tracking. However, each of these policies also stated that the data collection practices of these third parties were outside the coverage of the privacy policy. This appears to be a critical loophole in privacy protection.”

“In our analysis of the privacy policies, we found that 46 of the top 50 companies affirmatively state that they share data with affiliates, and the four remaining were unclear,” the researchers report. “We sent each company a request via email or an online Web form for a list of each affiliate they may share data with. We received 14 replies, but none included the lists we asked for. Most stated that they do not disclose corporate information. Based on our experience, it appears that users have no practical way of knowing with whom their data will be shared.”

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

There was an error processing your information. Please try again later.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

About This Blog

Are IT Engineers and IT Auditors natural enemies? Having worked on both sides of the fence, I have a unique understanding of the common ground of these disciplines. It all comes down to competence. Can you say SAS 70, (ooops, SSAE16), PCI, SOX404, Digital Forensics, Pentesting ...Geek?